loading
loading
Recon
List the companies a target has acquired, straight from SecurityTrails.
overview
get-acq answers one scoping question: which companies has this organization acquired? Give it a parent domain and it hits the SecurityTrails /acquisitions endpoint, returning the acquired companies tied to that domain as JSON. That list is the part of an attack surface most teams miss, because a subsidiary's domains often run on infrastructure the parent never inventories.
Acquisitions widen recon scope in a way nothing else does. A company bought a year ago still carries its own root domains, certificates, and exposed services, and those frequently lag behind the parent's security baseline. Pulling acquisitions first means later enumeration covers the full corporate footprint, not only the flagship domain.
On Trickest, get-acq is a Recon node that reads a file of domains and writes a file and a folder of results. Run it early to expand scope, then feed the acquired companies' domains into subdomain enumeration so discovery covers everything the organization owns.
use cases
Point get-acq at a parent domain to pull the companies it has acquired, surfacing subsidiaries whose infrastructure rarely shows up in the parent's own asset inventory.
Run get-acq first to establish the real corporate boundary, then pass the acquired companies into subdomain discovery so nothing owned by the target gets skipped.
Recently acquired companies often lag behind the parent's security baseline. Listing them early points testing at the assets most likely to be under-monitored.
Schedule get-acq in a workflow so newly recorded acquisitions surface on their own, then chain the output into subfinder so each new company flows straight into enumeration.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain-names | FILE | --domains | File with the list of parent domains to look up acquisitions for. |
| security-trails-apikey | STRING | -a | SecurityTrails API key used to authenticate the lookup. |
Showing key inputs. get-acq exposes 2 inputs in total.
example
# list the companies a target has acquired via SecurityTrailspython3 get-acq.py --domains domains.txt -a "$SECURITYTRAILS_API_KEY" -o acquisitions.json{ "endpoint": "/v1/domain/example.com/acquisitions", "acquisitions": [ "example.net", "example.org", "example.io", "example.dev", "example.app" ]}guidance
Reach for get-acq at the start of recon, when you need to know which companies a target has acquired before enumerating anything. It is an acquisition lookup, not a subdomain tool, so pair it with amass-intel for root domains and subfinder for the subdomains underneath them.
Finds an organization's root domains and network ranges via ASN, CIDR, and reverse whois. Broader org discovery, no acquisition list.
Reverse WHOIS lookup. Finds domains registered to the same entity, a different relationship than corporate acquisitions.
Pulls WHOIS data through ripe.net. Useful for registration and ownership detail once you have the domains get-acq surfaces.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A file of parent domains feeds get-acq, which lists the companies the target acquired and hands them to subfinder for subdomain enumeration before they land as a queryable output.
Facts on this page come from the live Trickest tool library.